Request for Input: Consent Preferences for Logged In Users (Consent API)

The coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.-privacy team are currently working on three modular, but complementary initiatives, with the aim of merging into 5.6.
These are: The Consent APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. (website visitor level privacy); the Disclosures Tab (site-level privacy) and collaborating with the core-media team on the Local AvatarAvatar An avatar is an image or illustration that specifically refers to a character that represents an online user. It’s usually a square box that appears next to the user’s name. Project.

The Consent API in its current form does not distinguish between consent preferences for users who are registered and logged in, vs. those who are either not registered, or registered, but not logged in.
This means that all consent preferences are currently saved in cookies.

This means that there are two approaches available to the team. Either we can use the wp_set_consent() function from the user’s profile page to allow them to manage their preferences and prevent unnecessary API calls (proposal 1 – status quo), or we can let the database be the ultimate source of truth to provide a more robust API, rather than an interface for an analytics opt-out (proposal 2).

There has been a lot of discussion in the channel lately. I will post a separate P2P2 A free theme for WordPress, known for front-end posting, used by WordPress for development updates and project management. See our main development blog and other workgroup blogs. post for discussions such as prompting logged in users who previously opted in for consent again if new cookies are added – or at the very least least providing the necessary hooksHooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same. and filters for plugins to do so. Those are concerns can be realistically and effectively addressed in the UIUI User interface design requirements.

This is a fundamental design choice and while the window is wide open now, it will not remain so for long, as 5.6. approaches.
For purposes of this discussion, we please need input on the following, so that we can take the matter to dev chat:
1. Should consent preferences for registered users (applicable when logged in) be saved in cookies, or should they be saved in the database?
If consent preferences are saved in cookies, these could be displayed (and updated) in the user profile, but the choice would be transient and would effectively need to revert to site defaults every time the cookie is cleared.
2. If they are saved in the database, should the REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/. be used to expose the logged in user’s consent preference on the front end?
3. If the REST API is used, should a new REST endpoint be created, or should register_meta() be used instead?
4. Should the consent preference be exposed on the front end using wp.data? The trade-off being that this provides nicer abstraction and makes it easier to move towards object-oriented, rather than event-orientated programming, but adds a few KB to the front-end?
5. If wp.data is used, should only this be used, or should the consent preference still be exposed to the front end by a method in point 3?

Thank you for everyone who has participated in this discussion on SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. so far. I intentionally did not include who made which proposals for this P2 post, in order to focus on the merits of the alternative solutions, but will credit participants in tickets if those need to be created.
Participants in the Slack discussion are of course very welcome to express their opinions here! 😀

Your inputs are appreciated!

#consent-preferences, #consent-api, #core-privacy, #privacy, #request-for-comment

Minutes: Core Privacy Meeting 19 August 2020

The Consent APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.:

The Consent API is the oldest of the privacy initiatives currently under active development, not yet merged into CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress..
It was created in response to the following ticketticket Created for both bug reports and feature development on the bug tracker.: https://core.trac.wordpress.org/ticket/44043 (Framework for logging/retrieving a user’s consent state)
The proposed feature pluginFeature Plugin A plugin that was created with the intention of eventually being proposed for inclusion in WordPress Core. See Features as Plugins. can be found here: https://wordpress.org/plugins/wp-consent-api/
The code is extremely light-weight (13KB, excluding the readme.txt and the licence).
The Consent API could greatly benefit from a wp_set_cookie(); function in WordPress Core, which would make adoption by pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party and theme developers more likely than the current has_consent(‘type’) approach.
These two items have natural synergies and would do well scoped together.
In its current form, the Consent API does not have any User Interface.
However, it would be more valuable to allow registered users to save their consent (functional, preferences, anonymous statistics, statistics and marketing) more permanently under their profile page for when they are logged in. There could also be settings for whether or not to make the profile visible to search engines, etc.
Logged out users, or users who are not signed up for an account, would not have a UIUI User interface in Core, but instead their UI would be provided via a cookie banner or comprehensive consent management plugin.

The Disclosures Tab:

The Disclosures Tab is intended to aggregate the information collected from individual disclosures.jsonJSON JSON, or JavaScript Object Notation, is a minimal, readable format for structuring data. It is used primarily to transmit data between a server and web application, as an alternative to XML. files in individual plugins, themes and Core.
Compiling a disclosures.json file for Core would be a significant undertaking, as, among other things, it is intended to disclose any external references (calls to other sites, available APIs, feeds, etc.)
The intention of the tab is to help site owners and admins to understand what information their site collects, where it is stored and where it is sent.
This will help site owners / admins to make more informed privacy-related choices and understand their privacy risk profile.
Any actual “controlling” (the Permissions Tab) is likely more suited as an optional plugin.
The Disclosures tab would require creating a JSON schema and writing a function (first in a plugin and then in core) to validate the schema.
The UI would most likely exist as a new tab under the Settings tab.

Enter the Local AvatarAvatar An avatar is an image or illustration that specifically refers to a character that represents an online user. It’s usually a square box that appears next to the user’s name. Project:

CNDs have privacy considerations in that, at least in theory, it is possible for the CDN to track users across sites. Some CDNs do use data obtained this way as a source of marketing analytics data. Furthermore, the hashing that is used can be brute-forced, which may lead to unwanted disclosures of someone’s identity.

The Local Avatar Project has tremendous value as a case study in best practices.
Avatars are a highly relatable way to explain complex privacy concepts to users and developers like.
Furthermore, it has tremendous persuasive potential for achieving developer buy-in, as a common refrain includes “But avatars do the same thing!”

The UI for registered users would be located on the user’s profile page.
This UI would allow a registered user to upload an avatar (and could be extended by plugin to allow for more options, like selecting from a pre-set).
The UI for authorized users would be located as a new tab under the Media tab.
The UI for site-level settings would be located where the avatar settings are currently located, as this would most likely be the most intuitive for users.

Vision:

Each of the above projects can be developed in a modal way in order to achieve a cohesive privacy-by-design vision.
This would require distinct, but complimentary education drives for developers and for site owners / admins.

#consent-api, #core-media, #core-privacy, #disclosures-tab, #local-avatar-project, #minutes

Agenda: Office Hours 19 August 2020 at 18:00 UTC

@paaljoachim has asked what the UI needs to look like for a Privacy screen in Core. You can read the conversation here: https://wordpress.slack.com/archives/C9695RJBW/p1597418745430800 (a Slack account is needed)

  • Site-level privacy
    Initiatives: 1.) Disclosures and Permissions Tab; 2.) Local AvatarAvatar An avatar is an image or illustration that specifically refers to a character that represents an online user. It’s usually a square box that appears next to the user’s name. Project (in collaboration with the #core-media team)

    The DPT would require writing a JSONJSON JSON, or JavaScript Object Notation, is a minimal, readable format for structuring data. It is used primarily to transmit data between a server and web application, as an alternative to XML. schema, as well as a coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. function to validate it (hopefully in collaboration with the #core-restapi team).
    The UIUI User interface would most likely be under Settings -> Privacy.
    This interface should help site owners / admins understand what information their site collects (by means of individual plugins, themes, as well as Core), where it is stored and where it is sent.
    Ideally, this would provide a mechanism for the site owner to prevent data from being transmitted off-site / make choices with regards to third party access.

    Part of the Local Avatar Project would overlap with site-level privacy in the following areas: Settings, Permissions and Library.
    There is currently still a discussion as to whether a fully-fledged library is needed (defined as that image metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress.-data needs to be edit-able).
  • Website-visitor level privacy
    Initiatives: 1.) Consent APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.; 2.) Local Avatar User Upload Screen

    The Consent API in its current form is not intended to have any UI.
    This is due to the fact that website visitors who are not registered / not logged in still need to be able to exercise privacy choices.
    However, it may be nice to allow logged-in users to save their privacy choices on a more permanent basis, perhaps by making use of user_meta. In this case, there would need to be a UI on the user’s profile screen to support this.
    There would presumably still be no UI for users who are not logged in. A UI could be provided by means of a consent management pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party.

    Additionally, the Team needs to discuss which filters / functions may be necessary in Core in order to convert the Consent API feature pluginFeature Plugin A plugin that was created with the intention of eventually being proposed for inclusion in WordPress Core. See Features as Plugins. into a more fully-fledged API, e.g. wp_set_cookie();

    Part of the Local Avatar Project would overlap with website-visitor level privacy. This would mainly be in the following area(s): User Profiles. For example, users may want to indicate that they do not wish for their avatars to be indexed by search engines.

Please join us for this week’s office hours to discuss what these solutions may look like!

#consent-api, #core-privacy, #disclosures-tab, #local-avatar-project, #privacy

Feature Plugin Proposal: WP Consent API

As part of the core-privacy team’s roadmap the team has started development on a Consent APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. as a feature plugin.

We welcome all thoughts on this proposal, which you are welcome to leave as comments on this post, or share with us directly in the #core-privacy channel on Making WordPress SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/.. We host weekly office hours on Wednesdays at 19:00 UTC, see the meetings page for times in your timezone.

Introduction

A standard way for WordPress coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress., plugins, and themes to obtain consent from users should be established to provide a consistent and stable experience for administrators, developers, and users of all kinds.

Currently it is possible for a consent management pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party to blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. third party services like Facebook, Google Maps, Twitter, if a user does not give consent. But if a WordPress plugin places a PHPPHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher cookie, a consent management plugin cannot prevent this.                                         

There are also WordPress plugins that integrate tracking code on the client side in javascriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/. files that, when blocked by a consent management plugin, break the site. Or, if such a plugin’s javascript is minified, causing the URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org to be unrecognizable, it won’t get detected by an automatic blocking script.

Lastly, the blocking approach requires a list of all types of URL’s that place cookies or use other means of tracking. A generic API which plugins adhere to can greatly help a webmaster in getting a site compliant.

Does usage of this API prevent third party services from tracking user data?

Primarily this API is aimed at helping to achieve a compliant use of cookies or other means of tracking by WordPress websites. If a plugin or custom code triggers for example Facebook, usage of this API will be of help to ensure consent. If a user manually embeds a facebook iframeiframe iFrame is an acronym for an inline frame. An iFrame is used inside a webpage to load another HTML document and render it. This HTML document may also contain JavaScript and/or CSS which is loaded at the time when iframe tag is parsed by the user’s browser., a cookie blockerblocker A bug which is so severe that it blocks a release. is needed that initially disables the iframe and or scripts.

Third-party scripts have to be blocked by a blocking functionality in a consent management plugin. To do this in core would be too intrusive, and is also not applicable to all users: only users with visitors from opt in regions such as the European Union require such a feature. Such a feature also has a risk of breaking things. Additionally, blocking these and showing a nice placeholder, requires even more sophisticated code, all of which should not be part of WordPress core, for the same reasons.

That said, the consent API can be used to decide if an iframe or script should be blocked.

How does it work?

There are two indicators that together tell if consent is given for a certain consent categoryCategory The 'category' taxonomy lets you group posts / content together that share a common bond. Categories are pre-defined and broad ranging., e.g. “marketing”:

  1. The region based consent_type, which can be optin, opt out, or other possible consent_types;
  2. The visitor’s choice: not set, allow or deny.

The consent_type is a function that wraps a filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output., wp_get_consent_type. If there’s no consent management plugin to set it, it will return false. This will cause all consent categories to return true, allowing cookies and other types of tracking for all categories.

If optin is set using this filter, a category will only return true if the value of the visitor’s choice is allow.

If the region based consent_type is opt out, it will return true if the visitor’s choice is not set or is allow.

Clientside, a consent management plugin can dynamically manipulate the consent type, and set the applicable categories.

A plugin can use a hook to listen for changes, or check the value of a given category.

Categories, and most other stuff can be extended with a filter.

Existing integrations

  • Cookiebot
  • Complianz
  • Example plugin. This plugin basically consists of a shortcodeShortcode A shortcode is a placeholder used within a WordPress post, page, or widget to insert a form or function generated by a plugin in a specific location on your site., with a div that shows a tracking or not tracking message. No actual data tracking 🙂

Demo site

Plugins used to set this up:

Technical Scope

The feature pluginFeature Plugin A plugin that was created with the intention of eventually being proposed for inclusion in WordPress Core. See Features as Plugins. should at least handle the following functionality:

  • PHP functions to set the consent level and consent type.
  • PHP functions to retrieve the consent level and consent type.
  • Javascript functions to set the consent level.
  • Javascript hook that fires when a consent level is set.
  • Javascript functions to retrieve the consent level.

Introducing the Feature Plugin

What’s next?

Once the plugin is confirmed as a feature plugin, the next steps would be:

  • To increase the number of users of the feature plugin.
  • To add other interested privacy team members and core developers as contributors of the plugin.
  • To have additional Third-Party consent management plugins to adopt the API.
  • To iterate on the feature plugin development.
  • To audit some specific aspects of the feature plugin:
    • security
    • coding-standards and documentation
  • To create a TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. ticketticket Created for both bug reports and feature development on the bug tracker. to handle a potential future merge proposal – if the feature plugin deserves it.

Post written by @rogierlankhorst / @paapst and reviewed by @garrett-eclipse / @carike

#consent-api, #core-privacy, #feature-plugins, #privacy, #privacy-roadmap